Integrating security policy and event management

US 9,548,994 B2
Filed: 09/16/2014
Issued: 01/17/2017
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:

access security data identifying a plurality of security events detected in a computing system, wherein each of the plurality of security events is based on a respective one of a plurality of security policies;

determine, for each of the plurality of security events, attributes of the event from the security data;

present a representation of the plurality of security events in an interactive graphical user interface, wherein the representation comprises a plurality of graphical elements, each graphical element represents a respective subset of the plurality of security events corresponding to an intersection of at least two respective event attributes, size of each graphical element is rendered to indicate an amount of the plurality of security events included in the corresponding subset; and

detect a user interaction with a particular one of the plurality of graphical elements through the graphical user interface, wherein the particular graphical element corresponds to a particular subset of the plurality of security events, and the user interaction causes a presentation of a view, within the graphical user interface, identifying a respective subset of the plurality of security policies corresponding to detection of the particular subset of security events.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of security events is detected in a computing system, each security event based on at least one policy in a plurality of security policies. Respective interactive graphical representations are presented in a graphical user interface (GUI) of either or both of the security events or security policies. The representations include interactive graphical elements representing the respective security events or security policies. User selection of a particular event element via the interactive GUI causes a subset of the security policies to be identified, each security policy in the subset serving as a basis for at least one particular security event represented by the particular event element. User selection of a particular policy element via the interactive GUI causes a subset of the security policies to be identified, each security event in the subset based at least in part on a particular security policy represented by the particular policy element.

Citations

17 Claims

1. At least one non-transitory machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- access security data identifying a plurality of security events detected in a computing system, wherein each of the plurality of security events is based on a respective one of a plurality of security policies;
  
  determine, for each of the plurality of security events, attributes of the event from the security data;
  
  present a representation of the plurality of security events in an interactive graphical user interface, wherein the representation comprises a plurality of graphical elements, each graphical element represents a respective subset of the plurality of security events corresponding to an intersection of at least two respective event attributes, size of each graphical element is rendered to indicate an amount of the plurality of security events included in the corresponding subset; and
  
  detect a user interaction with a particular one of the plurality of graphical elements through the graphical user interface, wherein the particular graphical element corresponds to a particular subset of the plurality of security events, and the user interaction causes a presentation of a view, within the graphical user interface, identifying a respective subset of the plurality of security policies corresponding to detection of the particular subset of security events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The storage medium of claim 1, wherein each graphical element is presented to indicate whether the subset of security events comprises at least one event of a particular type.
  - 3. The storage medium of claim 2, wherein the particular type comprises a critical security event.
  - 4. The storage medium of claim 2, wherein a color of the graphical element indicates whether the subset of security events comprises at least one event of the particular type.
  - 5. The storage medium of claim 1, wherein each graphical element comprises a selectable element and selection of the element causes a view to be presented to describe details of security events in the subset corresponding to the element.
  - 6. The storage medium of claim 1, wherein the representation further comprises a grid, an x-axis of the grid corresponds to a first plurality of event attributes of a first type, a y-axis of the grid corresponds to a second plurality of event attributes of a second type, each grid intersection corresponds to an intersection of a respective one of the event attributes of the first type and a respective one of the event attributes of the second type, and each of the graphical elements is located at a respective one of the grid intersections and represents an amount of detected security events having both the corresponding event attribute of the first type and the corresponding event attributes of the second type.
  - 7. The storage medium of claim 1, wherein each of the plurality of graphical elements comprises a respective circular graphical element and the size comprises a diameter of the respective graphical element to indicate the amount of events represented by the circular graphical element.
  - 8. The storage medium of claim 1, wherein the plurality of security policies comprise a plurality of security policies defined for the computing system.
  - 9. The storage medium of claim 1, wherein the subset of security policies includes all security policies serving as a basis for any one of the particular subset of security events corresponding to the particular event.
  - 10. The storage medium of claim 1, wherein the view comprises a listing of the subset of the security policies and the instructions, when executed, further cause the machine to receive, via the interactive graphical user interface, a user selection of a particular security policy presented in the listing of the subset of security policies.
  - 11. The storage medium of claim 10, wherein selection of the particular security policy presented in the listing causes a window to be displayed including a view of attributes of the particular security policy.
  - 12. The storage medium of claim 11, wherein the instructions, when executed, further cause the machine to:
    - receive user inputs, via the window, indicating a modification to the particular security policy; and
      
      modify the particular security policy in accordance with the indicated modification.
  - 13. The storage medium of claim 1, wherein the security data is generated by at least one security tool adapted to detect security events in a computing system.
  - 14. The storage medium of claim 1, wherein at least one of the event attributes corresponds to a type of the security event.

15. A method comprising:
- accessing security data identifying a plurality of security events detected in a computing system, wherein each security event in the plurality of security events is based on at least one policy in a plurality of security policies defined for the computing system;
  
  determining, for each of the plurality of security events, attributes of the event from the security data;
  
  presenting a representation of the plurality of security events in an interactive graphical user interface, wherein the representation comprises a plurality of graphical elements, each graphical element represents a respective subset of the plurality of security events corresponding to an intersection of at least two respective event attributes, size of each graphical element is rendered to indicate an amount of the plurality of security events included in the corresponding subset; and
  
  detecting a user interaction with a particular one of the plurality of graphical elements through the graphical user interface, wherein the particular graphical element corresponds to a particular subset of the plurality of security events, and the user interaction causes a presentation of a view, within the graphical user interface, identifying a respective subset of the plurality of security policies corresponding to detection of the particular subset of security events.

16. A system comprising:
- at least one processor device;
  
  at least one memory element;
  
  an event manager, comprising logic when executed by the at least one processor device to;
  
  access security data identifying a plurality of security events detected in a computing system, each security event in the plurality of security events based on at least one policy in a plurality of security policies defined for the computing system; and
  
  determine, for each of the plurality of security events, attributes of the event from the security data; and
  
  a security event user interface engine, comprising logic when executed by the at least one processor device to;
  
  present a representation of the plurality of security events in an interactive graphical user interface, wherein the representation comprises a plurality of graphical elements, each graphical element represents a respective subset of the plurality of security events corresponding to an intersection of at least two respective event attributes, size of each graphical element is rendered to indicate an amount of the plurality of security events included in the corresponding subset; and
  
  detect a user interaction with a particular one of the plurality of graphical elements through the graphical user interface, wherein the particular graphical element corresponds to a particular subset of the plurality of security events, and the user interaction causes a presentation of a view, within the graphical user interface, identifying a respective subset of the plurality of security policies corresponding to detection of the particular subset of security events.
- View Dependent Claims (17)
- - 17. The system of claim 16, further comprising a policy editor to modify a particular one of the plurality of security policies based on a user input received through the graphical user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Pearcy, Derek Patton, Heinrich, Jessica Anne, Gaskins, Jessica Jeanne, Phillips, Craig Anthony
Primary Examiner(s)
SHAIFER HARRIMAN, DANT B

Application Number

US14/487,927
Publication Number

US 20150074750A1
Time in Patent Office

854 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 3/04842   Selection of displayed obje...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Integrating security policy and event management

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Integrating security policy and event management

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links